Dangerous Downloads: What the FDM Hack Teaches Us About Supply Chain Risks
Share
Commentary
Dangerous Downloads: What the FDM Hack Teaches Us About Supply Chain Risks
October 6, 2023
Table of Contents
When you download a piece of software, you likely assume it’s safe if it comes from a reputable source. But a recent high-profile supply chain attack delivered a sobering reminder: – even trusted distributors can unknowingly spread malware to millions.
Popular cross-platform download manager Free Download Manager (FDM) recently disclosed that cybercriminals compromised their website and infected the Linux version of their software for over three years. The stealthy malware, implanted directly into FDM’s distribution channels, highlights the growing threat of supply chain attacks and the urgent need for enhanced cyber vigilance.
How supply chain attacks operate
Listed as the 2nd most common vulnerability in the OWASP Mobile Top 10 vulnerabilities list, supply chain attacks infiltrate trusted software sources to plant malware further up the distribution chain. This allows tainted programs to slip past traditional endpoint defenses since the infection happens before delivery to users.
Breaking down a mobile app supply chain attack
Play Video
With Free Download Manager, hackers associated with an Eastern European cybercrime group exploited a vulnerability on FDM’s website. They modified pages hosting Linux download links to redirect users to a malicious site instead of the real FDM installer.
For over three years, Linux users who visited these compromised pages unknowingly downloaded a Trojanized version of the FDM software implanted with malware. Windows and Mac versions remained unaffected.
Once installed, the malware pursued a two-pronged strategy on victims’ systems:
Quietly stealing sensitive data like passwords, wallet files, browsing history and system information
Establishing a secret backdoor for attackers to remotely access infected devices.
By targeting the distribution process itself, the criminals cleverly avoided traditional security layers like antivirus, network filtering, or application controls. The malware easily bypassed scrutiny since it appeared to originate directly from the official software vendor.
A prolonged breach
Particularly troubling is the prolonged lifespan of this supply chain attack, which persisted undetected for over three years until public disclosure in 2022.
Many Linux users did report strange behavior upon downloading FDM during this period. However, the root cause only came to light following an investigation by cybersecurity firm Kaspersky.
FDM ultimately determined a Ukrainian hacking group compromised a specific webpage to carry out the supply chain attack. The infection was accidentally resolved during a routine site update in early 2022, finally closing this lengthy breach.
In response, FDM released a detection script allowing users to scan for signs of infection. They advised reinstalling entire systems in case of compromise, underscoring the severity of a supply chain malware’s footprint once embedded in trusted software.
This case reinforces that supply chain attacks can corrupt the integrity of software long before it reaches customers. Even security-aware users can be left vulnerable when the infection happens at the source.
Securing systems against invisible threats
For individuals and organizations, the FDM breach provides a sobering reminder to re-examine security strategies in light of supply chain risks.
While the FDM incident involved Linux users, supply chain attacksultimately threaten all organizations and individuals relying on downloaded software. Attackers continue to probe for the weakest link that will allow access to high-value targets.
By targeting trusted sources like FDM and tainting software before it reaches customers, supply chain attacks circumvent traditional controls. This allows malware to operate undetected for extended periods, as users have no reason to suspect the integrity of downloads from legitimate providers.
The takeaway is that vigilance is required at all levels for both commercial and open-source software sources. As supply chain attacks grow in frequency and sophistication, building resilience against software corruption will only become more vital.
Verimatrix provides cybersecurity solutions for mobile apps and websites that can help protect organizations against supply chain attacks like FDM. To safeguard your weakest links, ask us about Verimatrix XTD and Web Protect—two cybersecurity solutions that can plug open holes that may exist in your enterprise security wall.
For users and vendors alike, the FDM breach provides an urgent reminder: don’t take your downloads for granted. The next infection may be invisible until it’s too late.
Safeguard your apps from software supply chain attacks!
Stay informed about the latest threats and proactive measures to protect your apps from software supply chain attacks. Join our newsletter now!
Written by
Dr. Klaus Schenk
Dr. Klaus Schenk is senior vice president of security and threat research at Verimatrix and serves as head of its VMX Labs.
Commentary
Dangerous Downloads: What the FDM Hack Teaches Us About Supply Chain Risks
Table of Contents
When you download a piece of software, you likely assume it’s safe if it comes from a reputable source. But a recent high-profile supply chain attack delivered a sobering reminder: – even trusted distributors can unknowingly spread malware to millions.
Popular cross-platform download manager Free Download Manager (FDM) recently disclosed that cybercriminals compromised their website and infected the Linux version of their software for over three years. The stealthy malware, implanted directly into FDM’s distribution channels, highlights the growing threat of supply chain attacks and the urgent need for enhanced cyber vigilance.
How supply chain attacks operate
Listed as the 2nd most common vulnerability in the OWASP Mobile Top 10 vulnerabilities list, supply chain attacks infiltrate trusted software sources to plant malware further up the distribution chain. This allows tainted programs to slip past traditional endpoint defenses since the infection happens before delivery to users.
Breaking down a mobile app supply chain attack
With Free Download Manager, hackers associated with an Eastern European cybercrime group exploited a vulnerability on FDM’s website. They modified pages hosting Linux download links to redirect users to a malicious site instead of the real FDM installer.
For over three years, Linux users who visited these compromised pages unknowingly downloaded a Trojanized version of the FDM software implanted with malware. Windows and Mac versions remained unaffected.
Once installed, the malware pursued a two-pronged strategy on victims’ systems:
By targeting the distribution process itself, the criminals cleverly avoided traditional security layers like antivirus, network filtering, or application controls. The malware easily bypassed scrutiny since it appeared to originate directly from the official software vendor.
A prolonged breach
Particularly troubling is the prolonged lifespan of this supply chain attack, which persisted undetected for over three years until public disclosure in 2022.
Many Linux users did report strange behavior upon downloading FDM during this period. However, the root cause only came to light following an investigation by cybersecurity firm Kaspersky.
FDM ultimately determined a Ukrainian hacking group compromised a specific webpage to carry out the supply chain attack. The infection was accidentally resolved during a routine site update in early 2022, finally closing this lengthy breach.
In response, FDM released a detection script allowing users to scan for signs of infection. They advised reinstalling entire systems in case of compromise, underscoring the severity of a supply chain malware’s footprint once embedded in trusted software.
This case reinforces that supply chain attacks can corrupt the integrity of software long before it reaches customers. Even security-aware users can be left vulnerable when the infection happens at the source.
Securing systems against invisible threats
For individuals and organizations, the FDM breach provides a sobering reminder to re-examine security strategies in light of supply chain risks.
While the FDM incident involved Linux users, supply chain attacks ultimately threaten all organizations and individuals relying on downloaded software. Attackers continue to probe for the weakest link that will allow access to high-value targets.
By targeting trusted sources like FDM and tainting software before it reaches customers, supply chain attacks circumvent traditional controls. This allows malware to operate undetected for extended periods, as users have no reason to suspect the integrity of downloads from legitimate providers.
The takeaway is that vigilance is required at all levels for both commercial and open-source software sources. As supply chain attacks grow in frequency and sophistication, building resilience against software corruption will only become more vital.
Verimatrix provides cybersecurity solutions for mobile apps and websites that can help protect organizations against supply chain attacks like FDM. To safeguard your weakest links, ask us about Verimatrix XTD and Web Protect—two cybersecurity solutions that can plug open holes that may exist in your enterprise security wall.
For users and vendors alike, the FDM breach provides an urgent reminder: don’t take your downloads for granted. The next infection may be invisible until it’s too late.
Safeguard your apps from software supply chain attacks!
Written by
Dr. Klaus Schenk
Dr. Klaus Schenk is senior vice president of security and threat research at Verimatrix and serves as head of its VMX Labs.
Share this cybersecurity insight
Other cybersecurity insights
Salt Typhoon Exposes Critical Gaps in Mobile Security: CISA Reacts
When Apps Attack: HGS Hack, F@c! Messages and Bitcoin Ransoms
BoneSpy & PlainGnome: The Spyware Duo Disguised as Trusted Apps
Decoding Remo: The Evolving Android Banking Trojan